The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers.

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company’s cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

In recent years, Home Depot relied on outdated software to protect its network and scanned systems that handled customer information irregularly, those people said. Some members of its security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores.

Then, in 2012, Home Depot hired a computer engineer to help oversee security at its 2,200 stores. But this year, as hacks struck other retailers, that engineer was sentenced to four years in prison for deliberately disabling computers at the company where he previously worked.

Company officials said the malware used against Home Depot had not been seen before and would have been difficult to detect. Home Depot said on Thursday that it had patched any holes and that it is now safe for customers to shop there.

Any card used there between April and Sept. 2 might be vulnerable to being used fraudulently. Stephen Holmes, a Home Depot spokesman, said the company improved its security this year by encrypting register systems and switching to a new smart-chip-based payment standard in all stores.

“Our guiding principle is to do what’s right by our customers,” Mr. Holmes said. The company maintains “robust security systems,” he said.

Thefts like the one that hit Home Depot — and an ever-growing list of merchants including Albertsons, UPS, Goodwill Industries and Neiman Marcus — are the “new normal,” according to security experts. These people say retailers have not only been complacent about security, they have also been reluctant to share information with one another.

Government officials estimate that as many as 1,000 retailers have been infiltrated by variations of the malware that first struck another big retailer, Target, late last year, and then Home Depot this year. They say many companies do not even know they have been breached.

“This is happening to so many companies now, it is getting hard to keep track,” said Paul Kocher, the founder and chief scientist at the Cryptography Research division of Rambus.

Still, security experts were flabbergasted that Home Depot, one of the world’s largest retailers, was caught so flat-footed after the breach at Target, which resulted in the theft of data on more than 40 million cards before the holiday season.

After the Target theft, Home Depot’s chief executive, Frank Blake, assembled a team to determine how to protect the company’s network from a similar attack, said one person briefed on the project. In January, Home Depot brought experts in from Voltage Security, a data security company in California, these people said. By April, the company started introducing in some of its stores enhanced encryption that scrambled payment information the moment a card was swiped.

But criminals were already deep in Home Depot’s systems. By the time the company learned on Sept. 2 from banks and law enforcement that it had been breached, hackers had been stealing millions of customers’ card information, unnoticed for months. The rollout of the company’s new encryption was not completed until last week.

The retail industry is rushing to respond by forming threat-sharing associations — Home Depot was a founding member of one such group created earlier this year — and adopting new encryption and payment system they hope will thwart hackers.

But getting those efforts up and running could take months.

Several people who have worked in Home Depot’s security group in recent years said managers failed to take such threats as seriously as they should have. They said managers relied on outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.

Also, the company performed vulnerability scans irregularly on the dozen or so computer systems inside its stores and often scanned only a small number of stores. Credit card industry security rules require large retailers like Home Depot to conduct such scans at least once a quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.

And yet, two former employees said, while Home Depot data centers in Austin, Tex., and Atlanta were scanned, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. A spokeswoman for the P.C.I. Council in Wakefield, Mass., declined to comment on Home Depot specifically.

“Scanning is the easiest part of compliance,” said Avivah Litan, a cybersecurity analyst at Gartner, a research firm. “There are a lot of services that do this. They hardly cost any money. And they can be run cheaply from the cloud.”

Home Depot said the industry standards included an exception from scanning store systems that are separated from larger corporate networks, and it said the company had complied with P.C.I. standards since 2009.

In 2012, Home Depot hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted under Jeff Mitchell, a senior director of information technology security, to a job in which he oversaw security systems at Home Depot’s stores. (The men are not related.)

But Ricky Joe Mitchell did not last long at Home Depot. Before joining the company, he was fired by EnerVest Operating, an oil and gas company, and, before he left, he disabled EnerVest’s computers for a month. He was sentenced to four years in federal prison in April.

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”

A version of this article appears in print on , on Page A1 of the New York edition with the headline: Ex-Employees Say Home Depot Left Data Vulnerable. Order Reprints | Today’s Paper | Subscribe